Main Vulnerability Database Vulnerabilities #VU21923

#VU21923 Reflected cross-site scripting in Broken Link Checker - CVE-2019-17207,CVE-2019-16521

Published: October 17, 2019

Vulnerability identifier: #VU21923

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P/U:Clear

CVE-ID: CVE-2019-17207,CVE-2019-16521

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Broken Link Checker

Software vendor:
Janis Elsts, Vladimir Prelovac

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to improper encoding and insertion of an HTTP GET parameter into HTML. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website, such as exploit the filter function on the page listing all detected broken links by providing an XSS payload in the "s_filter" GET parameter in the "filter_id=search" request.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

PoC:

https://<host>/wp-admin/tools.php?page=view-broken-links&filter_id=search&s_filter=%22+id%3D%22blc-links%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Remediation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

#VU21923 Reflected cross-site scripting in Broken Link Checker - CVE-2019-17207,CVE-2019-16521

Description

Remediation

External links

Please verify you're human